You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

Register a free account to unlock additional features at BleepingComputer.com

Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

On Dec 22 2011 the laptop (Dell Vostrio 860, with Vista Home Basic, 32bit) started opening some "reporting screens" (false disc scanning) and presenting false virus warnings. Based on the articles I found - it could be described as "Vista 2012" "bug" (virus?).
Followed instructions form various sites and after 4 days it seemed the problem was removed.
From completely useless computer with a black screen and most of the exe files being hijacked (the bug would open whatever it waned instead of the file I would choose) I managed to get the laptop to its previus functioning state. However, the laptop seemed fine - but only for about 4 days.

Since the Jan 01, the computer has been running fine except for the Malwarebytes' (free trial) popuwindow coming up every few minutes with the following messages:
"Successfully blocked access to a potentially malicious website: "IP ADDRESS", Type: Outgoing Port: xxxxx, Process: schost.exe" where:
"xxxxxx" is a 5 digit port number changing its value (increment +1) with each message (as the process uses differnet ports)
" IP ADDRESS" were the following values:
141.136.16.152
178.238.233.153
206.161.121.2
206.161.121.3

I traced all of the addresse and found their sources, however I can't tell if those systems were also compromised and used as relays for infection/attack against my computer or if they are actively attacking. Since then I have been trying most of the tools and methods I found on this and other web sites (MS included). Here are just some names;
TFC
Rkill
PC Doctor
Malwarebytes
HitmanPro
Stinger
Combofix
Pandasecurity
Eset (some EU online scan)
MS Malicious Removal Toll

I have Microsoft Defender continuously "on", installed Malwarebytes, Win Firewall has been active and running, all the applications have been updated to the last definitions. I would disable system restore before going into the safe mode and scanning and doing the repair work, then I would reboot in the normal mode, scan again. Some of the programs detect some issues, I followed the insrtuciotns, removed the files, rebooted etc but after some time - the same problem is back.

The funny thing is that the Win file checker (sfc /scannow ) reported problems (svchost.exe -- user32.dll) while Vista Repair disk downloaded from Neosmart.net ($9.75) doesn't "see" any problems with my system (files). That is of course - when the laptop is booted off of the Vista repair disk.

I am running out of ideas and tools. Not even sure at this point if Malwarebytes isn't creating those popups for commercial purpsoes (so I purchase the full version) ? NY idea or suggestion on how to proceed with this problem is more than welcome.
Here below is the DDS scan and other scans are attached to this post.

I am HelpBot: an automated program designed to help the Bleeping Computer Staff better assist you! This message contains very important information, so please read through all of it before doing anything.

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

To help Bleeping Computer better assist you please perform the following steps:

***************************************************

In order to continue receiving help at BleepingComputer.com, YOU MUST tell me if you still need help or if your issue has already been resolved on your own or through another resource! To tell me this, please click on the following link and follow the instructions there.

A small box will open, with an explanation about the tool. No input is needed, the scan is running.

Notepad will open with the results.

Follow the instructions that pop up for posting the results.

Close the program window, and delete the program from your desktop.

Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

If I am helping you and have not returned in 48 hours, please feel free to send me a PM with a link to the topic.My help is free... however, if you wish to show appreciation and support me personally fighting against malware, please consider a donation:

Hello and thank you for taking ownership over the logs.
I have gathered 2nd version of all three logs - as requested by the automated post (please see above)
Please find them attached, they are from 10min ago
msm2012

My name is Jason and I'll be helping you with your computer problems. You can call me by my screename jntkwx or Jason is fine.

Some things to remember while we are working together.

Do not run any other tool untill instructed to do so!

Please do not attach logs or put logs in code boxes.

Tell me about any problems that have occurred during the fix.

Tell me of any other symptoms you may be having as these can also help.

Do not run anything while running a fix.

If you don't understand a step, please ask for clarification before continuing with any future steps.

Click on the Watch Topic button and select Immediate Notification and click on proceed, this will help you to get notified faster when I have replied and make the cleaning process faster.

One or more of the identified infections is a backdoor trojan and password stealer.

This type of infection allows hackers to access and remotely control your computer, log keystrokes, steal critical system information, and download and execute files without your knowledge.If you do any banking or other financial transactions on the PC or if it contains any other sensitive information, then from a clean computer, change all passwords where applicable.It would also be wise to contact those same financial institutions to appraise them of your situation.

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do. If you decide to go through with the cleanup, please proceed with the following steps.

If 'Suspicious' objects are detected, you will be given the option to Skip or Quarantine. Skip will be the default selection. Leave it as such for now.

A log file named TDSSKiller_version_date_time_log.txt will be created and saved to the root directory (usually Local Disk C:).

Copy and paste the contents of that file in your next reply.

-- If TDSSKiller does not run, try renaming it. To do this, right-click on TDSSKiller.exe, select Rename and give it a random name with the .com file extension (i.e. 123abc.com). If you do not see the file extension, please refer to theseinstructions. In some cases it may be necessary to redownload TDSSKiller and randomly rename it before downloading and saving to the computer or to perform the scan in "safe mode".

-- For any files detected as 'Suspicious' (except those identified as Forged to be cured after reboot) get a second opinion by submitting to Jotti's virusscan or VirusTotal. In the "File to upload & scan" box, browse to the location of the suspicious file and submit (upload) it for scanning/analysis.

I see you ran ComboFix. I'd like to see the log file from it.

Locating ComboFix Log

Right click on START on the left end of your Windows toolbar (lower left corner of your screen)

Click on Explore

Click on Local Disk (C:) in the left-hand window pane

Look for ComboFix.txt in the right-hand window pane and right click on it

Put your cursor (arrow) on Open With

Move your cursor to the new menu that opens and click on Choose Program...

If I am helping you and have not returned in 48 hours, please feel free to send me a PM with a link to the topic.My help is free... however, if you wish to show appreciation and support me personally fighting against malware, please consider a donation:

Good morning jntkwx
Went over the links you provided and am leaning towards the cleanup option for start.
The PC is Dell Vostro and it came with pre-installed Win Vista Home Basic, however without the repair disc. Contacted Dell and they refused to send me one without paying for it - even though I paid full Win Vista license when I purhcased the Laptop. Spoke to MS and they washed hands saying it's Dell's responsbility.
Downloaded repair disc for $9.75 from Neosmart.net but it doesn't have the Install option ? If I remember correctly their description of it - it should have had it ?
Q1. What should I do in order to acquire a re-install disc for my version of Vista ?

The PC is used for work and it does have sensitive info on it but given the time it has been infected - the damage has been done.
Q2. Would you have an idea on how did I get that ifection ? My guess is a link on some web site - but also a possible email attachments.
Q3. Several thumbdrives have been in use with the infected laptop. What (if any) is the proces of scanning/cleaning those flash memories?
Q4. You asked for Combofix log - would you like the old a fresh one (today) or both ?

Malwarebytes is popping up every minute or so - with the same message :"Successfully blocked access to the following IP..... svchost.exe"
So it seems the infection is still active and is trying to go back to its creator

Yesterday, the laptop booted up to a black background with the following message in the bottom right corner:
Windos Vista 
Build 6002
This copy of Windows is not genuine

Fixed it by calling Microsoft activation services who helped me re-activate the system and it is fine now
However, knowing what you said (key logger) I might have done a wrong thing ?

Going to work on the cleanup today and will send you the log based on your feedbcak to the Q4 above.
Thank you again for your help.
msm2012

Unfortunately, to get a repair disc, you would have to purchase one from Dell, since you have what is called an OEM (original equipment manufactured) version of Windows. However, I don't think this will be needed to fix your computer.

It's hard to say how you were infected. Many computers are infected by having outdated versions of common software, like Adobe Reader, Adobe Flash, and Java. I also notice you appear to not have an antivirus program installed on your computer. I will help you fix this once we have removed the malware.

While a flash drive infection is not apparent in your log, you may have a flash drive infection. These worms travel through your portable drives. If they have been connected to other machines, they may now be infected.

Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.Note: Some security programs will flag Flash_Disinfector as being some sort of malware, you can safely ignore these warnings

The utility may ask you to insert your flash drive and/or other removable drives including your mobile phone. Please do so and allow the utility to clean up those drives as well.

Wait until it has finished scanning and then exit the program.

Reboot your computer when done.

Note:Flash_Disinfector will create a hidden folder named autorun.inf in each partition and every USB drive plugged in when you ran it. Don't delete this folder. It will help protect your drives from future infection.
Anti-Malware programs flag Flash Disinfector as being infected because of in which the way it runs.

Regarding the Windows activation, I believe you did the right thing by calling Microsoft, however I'm not sure why you got that message in the first place.

I would first like to see the old Combofix log. Please don't create a new log until I instruct you to do so.

If I am helping you and have not returned in 48 hours, please feel free to send me a PM with a link to the topic.My help is free... however, if you wish to show appreciation and support me personally fighting against malware, please consider a donation:

I have been trying to start/activate Flash_Disinfector but it won't.
Tried double clickin as well as Run as Admin. It asks me if I want to allow it to run
After I answer positively, the popup closes, the mouse gets that Microsoft turning circle for about 4 sec and that's it. No applications with a name simillar to Flash_Disinfector are to be found in the Task Manager.

If I am helping you and have not returned in 48 hours, please feel free to send me a PM with a link to the topic.My help is free... however, if you wish to show appreciation and support me personally fighting against malware, please consider a donation:

Please download a new version of Combofix:Link 1Link 2Link 31. Close any open browsers or any other programs that are open. 2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix. If you do not know how to do this you can find out >here< or >here<3. Double click on combofix.exe & follow the prompts.

Important:

Do not mouseclick combofix's window while it's running. That may cause it to stall.

If you recieve an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer

In your next reply, please include:

Combofix log

How is your computer running now? Please be as descriptive as possible. Include any word-for-word error messages that you may have, and/or screenshots of strange behavior.

If I am helping you and have not returned in 48 hours, please feel free to send me a PM with a link to the topic.My help is free... however, if you wish to show appreciation and support me personally fighting against malware, please consider a donation:

Hello Jason
Attached please find the Combofix log made per your instructions.
The computer seems to be running fine. No more of that popup window from Malwarebytes with the message of svchost.exe initiating access to those four IP addresses. However I see a new message (jpg attached) about the last update. Should I run it to see what is it about ?

If I am helping you and have not returned in 48 hours, please feel free to send me a PM with a link to the topic.My help is free... however, if you wish to show appreciation and support me personally fighting against malware, please consider a donation:

Thanks Jason
Will do the steps above tonight.
The computer is running very well.
Combofix log shall be copy/pasted in the reply message body and MiniToolBox log shall be attached as a txt file ?
msm2012